Zero Trust Protocol (ZTP)

1) Scope & Definitions

• Scope: All systems that provision, operate, bill, support, or monitor phone service (OSS/BSS, mobile-core control planes, service APIs, data stores, logging/metrics, and support tools).

• Operational identifiers: Network/technical IDs needed to run service (e.g., SIM/eSIM, session tokens).

• Identity-linked archive: Any datastore tying human identity (PII) to historical service usage. Prohibited.

2) Threat Model (high level)

External attackers, insider misuse/over-privilege, partner/host data exposure, and device-level compromise are treated as expected risks. ZTP addresses carrier-side risks; device guidance is provided separately.

3) Core Principles (requirements)

• Minimize: Collect only what’s required to make service work. No PII for service operation; anonymous signup & systems are mandatory.

• Compartmentalize: No subscriber-identity mapping and no centralized, identity-linked archive.

• Verify & limit: Field-whitelisted interfaces; least-privilege access with MFA and continuous logging; short, published retention ceilings with tested deletion.

• Don’t monetize data: No sale or brokerage of customer service/usage data.

• Due process only: Respond to valid, narrowly scoped, court-supervised legal process.

• Control the control-plane: Critical control runs on servers operated by REALLY with network/data segmentation.

4) Controls Matrix (Principle → Control → Evidence)

• Minimize: Schema linting blocks PII; per-feature collection specs. → Retention Matrix + change controls.

• Compartmentalize: Prohibit identity-join keys; separate trust domains. → Architecture diagrams showing fields that never cross.

• Verify & limit: RBAC/JIT/MFA; quarterly access reviews; auto-deletion + deletion tests. → Access logs, API diffs, deletion-drill reports.

• No monetization: Contractual and technical blocks on ad/analytics sharing. → Public Monetization Attestation.

• Due process: Legal request playbook; scope-narrowing. → Transparency Report metrics.

• Control-plane: Segmented infra; hardening baselines; signed builds/SBOM. → Segmentation & hardening evidence.

5) Data Lifecycle (Create → Delete)

• Create: Minimal operational data; no PII.

• Store: Sharded by function; no cross-domain identity joins; encryption at rest.

• Use: Purpose-bound; support tools see pseudonymous context only.

• Share: Default no-export; any required interface is field-whitelisted and logged.

• Keep: Brief retention per Retention Matrix.

• Delete: Automatic TTL expiry + scheduled deletion drills with recorded outcomes.

6) Access & Interfaces

RBAC with just-in-time elevation and MFA on all privileged surfaces; production access is time-boxed and recorded. Interfaces are allow-listed by field; new fields require security/privacy review.

7) Lawful Access (Compliance without a Dossier)

We honor valid, court-supervised legal process (e.g., warrants, court orders, subpoenas) and search only the systems/timeframes authorized. Because ZTP forbids PII collection for service operation, identity mapping, and centralized archives, disclosures are narrow and operational, not personal dossiers. Aggregate counts are published in our Transparency Report.

8) Vendors & Hosts

Vendors must meet ZTP requirements (no secondary use, minimal fields, no hidden copies). Host radio networks maintain their own RF/ops logs; REALLY does not provide PII or a subscriber-identity mapping, and we do not operate a centralized identity-linked archive available to query through us.

9) Infrastructure Posture (Control-Plane)

Critical control planes run on servers operated by REALLY with strict segmentation (production vs. analytics vs. support), hardened baselines, protected secrets, signed releases, and verifiable build provenance.

10) Customer-Visible Commitments

• No PII required to operate your service (anonymous signup & systems).

• No subscriber-identity mapping, no identity-linked archive, short retention.

• No data monetization.

• Due process only for legal requests.

• Included VPN for your internet path; VoLTE/VoNR-first and anti-downgrade guidance; Device Scanner and Anti-Spy Setup for hygiene.

11) Governance & Change Control

Owned by Security & Privacy; approved by executive and legal leadership. Any change to collection, retention, or interfaces requires ZTP review, sign-off, and a public change note. Versioned and re-certified at least annually or upon material change.

12) Incident Response & Breach Disclosure

• Detect & contain: Continuous monitoring; rapid containment, key rotation, and session invalidation on credible indicators.

• Forensics & scope: Independent triage; determine affected systems, data types, and time windows; preserve evidence.

• Customer notification: Prompt notice to impacted customers with actionable guidance.

• Regulatory notification: Comply with applicable breach-notification laws and timelines; coordinate with authorities as required.

• Remediation & validation: Patch, harden, eradicate persistence; third-party validation where appropriate.

• Post-incident improvements: Share high-level root cause and control enhancements; update public artifacts (Retention Matrix, Interface Inventory, Transparency Report) if scope touched them.